SecurityA to Z

the mostimportant

termsA to Z

2SWITCH ON FREEDOM

UNDERSTAND THE OFFICIAL

TERMINOLOGY.This is F-Secure Labs.

Learn more about the most important security terms with our official explanations from F-Secure Labs.

A to Z

3SWITCH ON FREEDOM

BBACKDOORA remote administration utility that bypasses normal security mechanisms to secretly control a program, computer or network. These utilities may be legitimate, and may be used for legitimate reasons by authorized administrators, but they may also be misused by attackers. A backdoor is usually able to gain control of a system because it exploits vulnerabilities, bugs or undocumented processes in the system’s code.

BANKING FRAUD / TROJANMalware that attackers use to access their victim’s online banking.

BOTNETA network of devices infected with a specialized form of malware known as a bot that can be remotely controlled by an attacker, usually via a command-and-control (C&C) server. Each infected computer may be known as a bot, a zombie computer, or a zombie. An attacker, or group of attackers, can harness the collective resources of a botnet to perform major malicious actions, such as sending millions of spam emails, launching a distributed denial-of-service (DDoS), attack and much more.

BRUTE-FORCE ATTACKA type of attack that typically targets authentication mechanisms such as passwords. A brute-force attack is an exhaustive, trial-and-error attempt that involves rapidly cycling through a comprehensive list of possible passwords or decryption keys, until the correct one is entered. Brute-force attacks commonly succeed due to weak passwords and/or human error or laxness. Often, a brute-force attack is combined with a dictionary attack, which uses a long list of words taken from dictionaries and popular culture references. Unlike a standard brute-force attack, a dictionary attack uses words that are thought to be the most likely to succeed.

AADWAREAdware is F-Secure’s classification name for software that displays advertisements on the computers or devices. The advertisements may be displayed on the desktop or during a web browsing session. Adware is often bundled with free software that provides some functionality to the user. Revenue from the advertising is used to offset the cost of developing the software, which is therefore known as ‘ad-supported’.

ATTACK SURFACECode that is active in a target system and somehow involved in processing input that can be used in attacks. Any vulnerabilities that can be exploited are part of attack surface. The basic idea in security is to disable all unnecessary features in software, and thus limit attack surfaces. Disabling code in this manner prevents it from being exploited - even if it contains a vulnerability.

ATTACK VECTORMethod of contact used to attack victims. Examples of typical attack vectors include email, the web, and USB media.

4SWITCH ON FREEDOM

CYBER ATTACKCyber attacks target computerized infrastructure, and can therefore produce affects outside of the computing domain. Effects are what define cyber attacks, not methods. If a denial-of-service attack against a bank website crashes payment processing servers, and prevents people from paying for things with credit cards or withdrawing money from an ATM, it is a cyber attack. An attack against a hobby game server may be technically identical, but if it only affects that particular game, it would not be considered a cyber attack.

CYBER SECURITYSecurity that focuses on preventing cyber attacks. Basically the same as information security, except that one should also consider the effects that attackers can produce once they have control of corporate systems and build custom security mechanisms for critical resources. A typical example would be restricting the network connections for workstations with access to a corporate bank account, or a production line controller computer, etc. Cyber security is also used by less honest consultants as a way to rename everything that used to be called information security in order to charge bigger fees from customers.

CYBER ESPIONAGEEspionage using computers as tools for espionage. It typically involves hacking or using malware to break into corporate computers and stealing information.

C

CLIENT / ENDPOINTPC/Mac workstation or laptop, or a mobile phone. Basically anything that runs code, and capable of running security software. The basic definition of a client is a device that can run independent applications, while a terminal is just a screen that input access to computer that is somewhere else.

CLOUD SECURITYSecurity that is provided from a remote server. The benefit of cloud security is that a remote server receives information from multiple sources, so it can make better decisions. Another security benefit of cloud security is that attackers cannot reverse engineer security features that are implemented at remote cloud server.

COMMAND AND CONTROL / C2The command and control(C&C, or CC) server of a botnet is the main control point for the entire network of enslaved computers.

5SWITCH ON FREEDOM

D

DATA BREACHAn incident that involves data leaking from an organization as the result of a successful attack.

DDOSA type of attack conducted over the Internet, using the combined resources of many computers to bombard, and frequently crash, a targeted computer system or resource (e.g., a program, website or network). There are various types of distributed denial-of-service (DDoS) attacks that can be conducted in different ways based on how the attack is conducted. DDoS attacks are sometimes included as part of a worm or trojan’s payload - all infected computers are directed to attack the selected target. DDoS attacks are also often performed by botnets, as the combined resources of all the computers in the botnet can generate a terrific amount of data, enough to overwhelm most target’s defenses within seconds. DDoS attacks have become one of the more dangerous menaces of the modern Internet.

DLPData Leakage Prevention - a software or service used to detect and possibly prevent information/data breaches.

DOMAINA domain name (e.g. www.f-secure.com) is a human-friendly text string given to identify a specific resource on the Internet – in most cases, a website. Each domain name maps to a specific IP address. Domain names are used because IP addresses, which are what the computers use to identify common resources, aren’t easy for humans to remember. Domain names are a part of the hierarchical Domain Name System (DNS) used to organize all resources on the Internet.

DRIVE-BY DOWNLOADThe automatic download of a program from a visited website onto a user’s computer, almost always without their knowledge or authorization. Drive-by downloads are often used in conjunction with Search Engine Optimization (SEO) attacks, in which search engine results are poisoned in order to redirect users to a malicious site where the drive-by attack can take place. The term ‘drive-by download’ is most frequently used to describe the situation of a website forcibly and silently downloading malware on to a visitor’s system, but clicking on pop-up ads or viewing an email message may also result in the user being subjected to this attack.

6SWITCH ON FREEDOM

E

ENCRYPTIONThe use of a cipher or algorithm to transform data, such as a program’s code, into an unintelligible form. There are many different ways to perform encryption, based on the algorithm or cipher used. Some examples of encryption algorithms include ROT13 and the Vigenere cipher. Encryption usually requires a specific piece of information (a ‘key’) in order to transform the encrypted information back to a usable state when necessary. The simplest form of encryption uses a static unchanging key; more sophisticated encryption may involve changes in the key itself as well as the code to be transformed. Virus writers use encryption to create encrypted viruses, which are harder for antivirus programs to detect. Once installed, the encrypted virus uses the key to decrypt its own code and execute it.

HACKINGAct of breaking into workstations, servers or mobile phones through a network or other connection. A typical example of hacking would be someone finding a vulnerability in a server and then using an exploit against that vulnerability to access the system.

HEURISTICSReasoning based automation that is used to detect malware or other attacks. Both clients and servers in security clouds use heuristics. Basically, heuristics model human decisions for computer programs, allowing those programs to automate decision making processes. F-Secure uses heuristics to detect malware and other types of attacks.

EXPLOIT VS EXPLOIT KITExploit: An object - a program, a section of code, even a string of characters - that takes advantage of a vulnerability in a program or operating system to perform various actions.An exploit is almost always used in a malicious context. If successfully used, exploits can provide an attacker with a wide range of possible actions, from viewing data on a restricted-user database to almost complete control of a compromised system. Exploit kit: A server which has a selection of exploits targeting vulnerabilities in several softwares or versions, and a capability to analyze the client and select proper exploit. Typical exploit kit has a selection of exploits for different web browsers and plugins.

HACKTIVISMType of activism which uses hacking in order to push some agenda. Most typical cases of hacktivism involve website defacement in which attackers gain control of a web page and change it to show political or other messages. Twitter, Facebook and other social media accounts are often seized for hacktivism purposes.

HARDENINGImproving the security of a server or workstation by modifying security, server or application settings. A typical example of hardening would be to reduce an attack surface by disabling features that are not needed by a client or server application. For example, disabling JavaScript from a PDF reader will break most PDF exploits.

H

7SWITCH ON FREEDOM

K

L

M

KEYLOGGERA program or hardware component that surreptitiously monitors and stores all the strokes typed into a device’s keyboard. Some keylogger programs will also forward the stored information to an external server for easier retrieval by the attacker. Keyloggers are typically used by attackers to steal vital information such as personal details, credit card details, online account login credentials, and so on. The stolen information can then be used to perpetrate crimes such as identity theft, online fraud, monetary theft, and so on. Keylogger programs are typically installed on a device by other malware, though they may also be manually installed by an attacker with physical access to a device. Hardware components must be manually installed.

MAN-IN-THE-MIDDLE ATTACKA type of attack that involves an undetected third-party actively eavesdropping and controlling communications between two systems. The specific technical details of how the attack is performed depends on the type of communication being intercepted (wireless, Internet, mail, etc.), but for it to be successful, the attacker must be able to impersonate each side of the dialogue and convince them that the communication is private and authentic. MITM attacks are usually done in order to intercept or modify messages sent between the two systems, or to inject false information.

LAYERED PROTECTIONA protection principle in which multiple methods are used to protect against attacks. Layered protection is based on the reality that it is almost impossible to make one security solution that can stop 100% of attacks. Providing layered protection requires the use of multiple technologies in security solutions.

ONLINE SCAMS = PHISHINGA type of social engineering attack in which fraudulent communications are used to trick the user into giving out sensitive information, such as passwords, account information, and other details. Phishing is a criminal activity in many jurisdictions. A phishing attack usually involves a fake communication, often supposedly from a trusted corporation or institution that requires some kind of response from the user. Usually, the subject matter is enticing or alarming, to motivate the user into complying. Victims are then directed to a specific (usually fraudulent) website in order to trick them into providing information to the attackers. Phishing attempts are most commonly done via email, but attempts made by instant messages, SMS messages, and even voicemail are also known. Malware may also drop phishing communications as part of their payload. Phishing can often be executed using spam emails, but targeted phishing attacks can also occur. The information stolen can have considerable value to a criminal, but its loss can be even more significant to the victim. Such information theft is rapidly becoming a major concern for law enforcement agencies and web service operators worldwide. O

8SWITCH ON FREEDOM

P

PATCHINGA program or piece of code issued by a program vendor to fix issues in a program or operating system. Patches are usually issued to fix bugs, vulnerabilities or usability issues. A good security practice is to install patches as soon as possible after they are released. Unfortunately, for many businesses and home users, there may be a significant delay between the time a patch is released and when it is installed on an affected application or machine, leaving them vulnerable to attacks.

RANSOMWAREA malicious application that steals or encrypts a user’s data or system, then demands a ransom payment to restore the data or normal system access. Ransomware programs typically encrypt files on a computer or device, then displays a message stating that the user needs to pay a certain sum in a specified manner. The specifics of how the encryption is done, the kind of message displayed, and the payment method to be used usually differ based on the ransomware family involved. This form of extortion works on the assumption that the user values the data enough to pay for its recovery. However, there is no guarantee of actual recovery, even after a payment is made. As encryption is usually extremely difficult to break, the best safeguard against losing access to critical data this way is to keep up-to-date backups of your files in a separate, unconnected location or device. Up-to-date antivirus protection and user caution are also key in avoiding unintentional contact with ransomware. RREMOTE CODE EXECUTIONIn computer security, remote code execution means that an outside party being able to run arbitrary commands on a target machine or in a target process, almost always with malicious intent. Remote code execution is usually the goal of a system or program exploit, as it essentially means an attacker can take complete control of the compromised machine.

REPUTATIONInformation about whether an application, URL or some object is malicious, known to be clean, or unknown. Reputation is the information that is used for whitelisting or blacklisting applications.

9SWITCH ON FREEDOM

SANDBOXINGAn isolated, tightly controlled virtual environment that replicates a normal computer system. Sandboxes are usually virtual machines installed as a completely contained entity on a host, or ‘real’ machine. Security researchers often use sandboxes to run and examine suspect, untested or malicious code without risking damage to their actual systems. Modern antivirus programs also use sandboxes to run suspicious programs found on a device, which allows the program to be scanned in order to examine its behavior. If the suspect program performs a harmful routine within the sandbox, it can be identified as malicious without affecting the actual machine.As malware evolves constantly, some sophisticated threats are now ‘VM-aware’. They first check for the presence of a virtual machine or sandbox on the system. If found, the malware can refuse to run, or even uninstall itself as a precaution against detection.

SSOCIAL ENGINEERINGA general term used to describe attacks that leverage psychological or social pressures to dupe an unsuspecting victim into providing sensitive information such as passwords, account details and so on. Social engineering attacks can take place both online and offline. Online social engineering attacks usually take the form of phishing or pharming attempts, which present unsuspecting users with legitimate looking emails or websites in order to convince potential victims to part with important information or money. Another form of online social engineering involves convincing a user to download a file, usually in the guise of a security or application update, game or other desired program. However, once downloaded and run, the file turns out to be something entirely different, and almost always malicious.Social engineering attacks tend to be effective in spite of their simplicity, as they exploit natural human tendencies based on trust, desire and curiosity.

SPEAR-PHISHINGPhishing in which the attacker has studied the target and is able to personalize the attack to make it more credible. Spearphishing is also used for sending malicious documents with customized content, while conventional phishing attacks are used to describe attacks which rely for scams rather than malware or exploits.

10SWITCH ON FREEDOM

SQL INJECTIONA type of attack that exploits poor user-input filtering to inject and run executable commands in improperly configured Structured Query Language (SQL) databases. Technically, a few types of SQL injection attacks are possible, but the end result of all successful SQL injection attacks is that an attacker can manipulate or gain total control over the database. SQL databases are a common feature of many applications. Often, companies will use such databases for vital operations such as payrolls and customer records. The most commonly reported attacks are launched against databases that can be accessed via a website, simply because these databases are much easier for a hacker to reach. SQL databases are commonly used on websites with dynamic content, making them popular targets for hackers. SQL injection attacks only work against databases that don’t sanitize user input properly. Whenever a user interacts with a database, such as by trying to log into a “Members Only” section of a website, any input they provide should be ‘sanitized’, or checked to make sure it doesn’t contain invalid characters. Poor or improper checking of the data input may cause programming errors, which an alert or malicious user can then exploit.

SPYWAREA program designed to compromise personal or confidential information. Spyware can be installed on a system without a user’s authorization or knowledge. Spyware can vary widely in the kinds of actions they perform. Some common actions include displaying unsolicited pop-ups, hijacking a browser’s home or search pages, redirecting browsing results, and monitoring user activities. These actions may border on, or be outright considered, as malicious. Spyware is sometimes considered a gray area in terms of ethics and legality. Depending on the specific action, context of use and applicable laws, spyware may be legal and acceptable, dubious but unlegislated, or outright illegal and unethical. Complicating the issue is that some spyware is not intentionally designed as such. Instead, programming errors may result in them performing actions that make them behave like spyware. Once the flaws are corrected, the program may then be reclassified.

S

SPOOFINGThe act of falsifying characteristics or data. Spoofing is usually done in order to conduct malicious activities. For example, if a spam email’s header is replaced with a false sender address in order to hide the actual source of the spam, the email header is said to be ‘spoofed’. An attack can also involve elements of spoofing, as it prevents or complicates the process of identifying the correct source of the attack. There are many kinds of such ‘spoofing attacks’: email spoofing, Internet Protocol spoofing, URL spoofing, and so on.

11SWITCH ON FREEDOM

TCPTransmission Control Protocol, the most commonly used networking protocol used to send packages through the Internet.

UNWANTED SOFTWARE/APPSoftware that is not malware, but has annoying or intrusive features that make it something most people would prefer not to run. A typical example would be adware that focuses only on information gathering, and does not display advertisements by itself.

T

U

TROJANThis is a deceptive program that performs additional actions without the user’s knowledge or permission. It does not replicate itself. Trojans were named after the Trojan Horse of Greek legend, and are sometimes referred to as Trojan Horse programs. Quite often, the Trojan will have, or pretend to have, a functionality that offers a useful service to the user - a screensaver, a utility program, a service pack or application update and so on - in order to encourage the user to run the file. While the legitimate action is executing, the Trojan silently performs its unauthorized routines in the background.The effects of a Trojan’s payload on a computer system can range from mildly annoying pranks (like changing desktop icon positions) to serious, user-inhibiting functions (like disabling the keyboard or mouse). They can even produce critically destructive actions (like erasing files or stealing data). Trojans can cause significant damage by stealing financially sensitive data such as bank account credentials, or personal information that can be used for identity theft. There are numerous types of Trojans, and they can be categorized based on the malicious action(s) they perform.

TWO-FACTOR AUTHENTICATIONUser login method that requires information in addition to a username and password. A typical example of two-factor authentication would be verification through an SMS.

VULNERABILITYA flaw or security loophole in a program, web service, network, or operating system that allows a user or attacker to perform unintended actions, or gain unauthorized access.A vulnerability can be a flaw in a program’s fundamental design, a bug in its code that allows improper usage of the program, or simply weak security practices that allow attackers to access the program without directly affecting its code. Fixing a vulnerability requires the program vendor to create a patch (adding or changing the source code to rectify the flaw or loophole) and distribute it to all users of the vulnerable product to protect them from possible exploitation. A publicly announced vulnerability is often targeted by attackers, who attempt to exploit it before the vendor can create and release a patch (known as a zero-day attack). Unfortunately, there is often a significant time gap between when a patch is released, and when it is installed on a vulnerable machine. During that time, the machine remains exposed to attacks targeting the vulnerability.V

12SWITCH ON FREEDOM

ZOMBIE (IN CONNECTION TO BOTNETS)A computer, server or mobile device that has been infected with specialized malware known as a bot, which allows an attacker to control it. A zombie machine is also often known as a bot. Zombie or bot machines are usually roped into a network of similarly infected devices, known as a botnet. This collective group of controlled machines is under the control of the attacker(s), who can be referred to as the botnet controller, operator or bot herder. Instructions from the bot herder to a zombie in the botnet - or to all of them - are usually sent via a Command and Control (CnC) server, which relays the commands. The CnC server could be a server, a malicious or compromised website, or even a hijacked social media account. Some botnets also use a peer-to-peer (P2P) command structure, so that instructions are relayed between infected machines, making it much harder to trace the attacker(s). The collective resources of all the machines in a botnet are often used for malicious activity, such as launching distributed denial of service (DDoS) attacks, sending out spam, and so on. Often, the legitimate owner or user of a zombie machine has no idea that the device has been hijacked and put to nefarious use.

WORMA program that replicates by sending copies of itself from one infected system to other systems or devices accessible over a network. Though most worms only focus on self-propagating, some also include other malicious actions in their payload - for example, installing other malware, changing system settings, and so on. A worm is usually classified based on the type of network it uses to spread, such as the Internet, email, IRC chat channels, peer-to-peer networks, Bluetooth, SMS, or social media networks. A worm-infected machine can suffer from productivity and network issues if the malware’s propagation takes up too much of the system’s resources. If many machines in a network are simultaneously sending out worm copies, the entire network may be affected, causing significant disruption and inconvenience.

WHALINGWhaling is basically the same as spear-phishing, i.e. a type of social engineering attack in which fraudulent communications are used to trick the user into giving out sensitive information. The difference is, however, in the target. Whaling refers to specifically highly targeted attacks against the executives and other high profile targets. These targets hold business critical data, and are worth the extra effort of catching the “big phis”.

ZERO-DAYA zero-day vulnerability is a vulnerability that is still unknown to the vendor, and therefore, unpatched. Attacks that are performed before the vulnerability has a publicly available patch, or even before they are known to the vendor are called zero day attacks. Even after a patch becomes publicly available, there is often a time gap before most companies or homes users can install the patch on a vulnerable machine, which gives attackers an additional opportunity to perform a successful attack. Due to the high chance of attackers targeting a vulnerability that has been recently announced, many security researchers will work quietly with vendors to create and release the patch for a vulnerability before publishing the news to the general public.

W

Z

Copyright © 2014-2015 F-Secure – All rights reserved.

Learn more about F-Secure Labs

on our website.Business Security Insider by F-Secure

Your information source for the latest news and insights into cyber security and IT security for businesses.

WEBLOG - LATEST FROM THE LABSUpdates on research done by F-Secure Labs, and views on the latest

developments in information security and digital technology.

GET SOLUTIONS & GET INFORMEDFind a solution for a security concern with one of our free tools, or learn

more about threats and products in our descriptions and advisories.

REMOVAL TOOLS

Use these free tools to scan and remove malicious programs.

THREAT DESCRIPTIONS

Details of threats identified by F-Secure Labs.

SECURITY ADVISORIES

Details and fixes of all the vulnerabilities affecting F-Secure products.

1

2

3